As anyone who has been hanging around on this forum for a while will know one of the most common questions is “How do I get into the industry?” and as always the users on the forum will go out of their way to give helpful advice.

I have a slightly different question.

It seems to me that a few of the guys (and girls) on forum work for themselves or as consultants in the industry.

I want to hear from a few of you as to the challenges you faced while starting up your company.

How did you get your first client? I imagine its hard to convince someone to let you perform a pentest on their network when you have no rep in the industry.

Has it been worth it?

What advice would you give to someone on the forum who is thinking of starting up there own company or working as a consultant?

Something else to keep in mind is that if you run your own business, you will probably spend more time on business activities than whatever services you provide. Legal work, accounting, marketing, sales, etc. are going to take a significant amount of time. Don't start a business unless you want to run a business or have the resources to contract all those services out.

Disclaimer: I'm currently employed elsewhere, but I've run my own business for a stint and have done consulting on the side during some of my previous positions.

I actually decided to start my own web pentesting company last month. For the past 2 years, I've been doing consulting work for various start-ups while looking for a full-time job. 2 months ago I did a pentest on my friend's website and got a nice amount of money for it (despite the fact that I offered to do it for free). As a result, I decided to try and see if I could make any money doing pentesting for other sites. However, I'm having trouble finding that second client.

Besides using word-of-mouth with my friends, for the past 3 weeks I've been looking for sites that have obvious security holes (like a login system without HTTPS) and sending out e-mails. I've gotten responses from 2 websites, both of which basically said, "We know and we don't care."

This past week, in addition to searching for those kinds of sites, I've been attempting to find freelance security jobs, but I haven't found anything useful. If anyone has any advice, please let me know.

On the bright side, most of my interviews involve me going through 3-5 phone interviews, then flying out to the company before getting rejected. So not finding clients is a lot less frustrating, and a lot less work, than not finding a job!

The ones that start a business to make a living The ones that start a business to become the next billionaire (so they think)

I assure you, being a pentester will maximum be the first one.

The second ones usually blow up within a year or 2,3 max. I'm not investing in those business anymore, I lost too much money so far with several failures.

The first type of business is still a good business. The book advise on the million dollar consultant is a good book.

I have actually a friend who is a very senior consultant in IT, call it a top Java specialist, used to be with Sun but is on his own the last 4 years and he is invoicing his personal consulting services for more than 1 Million $ a year. We don't see him very often. He's all over the world. So it is possible. I would never want his life. Never. He's actually not living. He's consulting.

I would say if possible start small with a minimum of investment. If possible do it as a side job. The best consultants who work on payroll and who want to become independent still can work for their previous boss usually. that's my experience.

SecurityMonkey wrote:What advice would you give to someone on the forum who is thinking of starting up there own company or working as a consultant?

Apart from the being good at the skills you are offering, one major think is marketing. Security being a tough competition, as many skilled people offering their service, marketing is a Big Must. There must be something to make you stand out shining from the competition.I would spend majority of my capital 'initially' in marketing, because only when you sell u earn and u learn.

Start with 'FREE' we all love it when its free. Look at everything around as case study,

Metasploit- Started as free (still community version is free) but then added certain Pro products which make a 'buck'

SecurityTube- Started as providing infosec education at no cost and still does provide a huge set of topics for free. Once successful started infosec certifications at a low price, again making a buck.

All those guys might have not started the project to make money initially but we all know how over the years some of free products have developed into industry must haves.

What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.

prats84 wrote:Security being a tough competition, as many skilled people offering their service, marketing is a Big Must. There must be something to make you stand out shining from the competition.

Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

A lot of organizations are having these services performed to satisfy a compliance check box. How are you going to position your quality services against others' that cost a fraction of what you charge when the customer doesn't care about quality? I think there's a huge gap between the amount of work available and the amount of legitimately skilled practitioners.

Last edited by dynamik on Thu Oct 11, 2012 11:19 am, edited 1 time in total.

ajohnson wrote:What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.

'm not actually trying to be part of the security community. I'm trying to go after small businesses and start-ups that have no idea they need security. Sites that don't use HTTPS and send credit card numbers in plaintext for example. There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.

ajohnson wrote:What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.

'm not actually trying to be part of the security community. I'm trying to go after small businesses and start-ups that have no idea they need security. Sites that don't use HTTPS and send credit card numbers in plaintext for example. There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.

The same concept applies. Join the local Chamber of Commerce and/or find other events where you can interact with local business owners.

ajohnson wrote:What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don't just knock on doors and ask for work.

'm not actually trying to be part of the security community. I'm trying to go after small businesses and start-ups that have no idea they need security. Sites that don't use HTTPS and send credit card numbers in plaintext for example. There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.

You need to think of it from their perspective. How many people do you think contact them on a regular basis for these "Services".

If they're doing anything PII (HIPAA, CreditCard, Banking, etc) and not doing HTTPS, and you and show it without "being evil" (BE ETHICAL), then you might want to let the agency that is concerned with that know (the ones you report to with violations).

As for ISACA, ISSA, etc, you're gutting yourself from the word go. Not everyone that goes to them know everything, and some are looking for help from other people. #misec is made up of several skilled people (100 or so of us), and we all have our specialties. We also leverage the others in the community for help. You may meet someone that needs or wants a web app pen test, but doesn't have the skill in house and willing to hire you if you have the references to back you up.

What many don't understand is that it's absolutely not easy to find a job. I think it's easier to make a buck to provide training to people than to actually make a living doing pentesting on a daily basis.

I have customers who need pentesters. I do this because of my customers question.

There is no way my customers are going to trust somebody else to sneak around and provide some report about it. That's the whole thing in this industry. TRUST is everything. That's where the power is.

Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.

Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There's an abundance of charlatans passing off copy-pasted Nessus reports as "penetration tests." I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

I would not limit this to just Infosec... I have found that a lot of the IT guys I have worked with claim to have this cert and that training but in the real world they don't have a clue! Training in Inforsec and IT has become such a HUGE money spinner that every man and his dog wants a part of it.

Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.